Historical OSINT - The Russian Business Network Says "Hi"

You know you're popular when "they" say "hi".

It's 2009 and I've received a surprising personal email courtesy of guess who - The Russian Business Network showing off the actual ownership of the hxxp://rbnnetwork.com domain and basically saying "hi". It's worth pointing out that throughout 2008-2013 I've extensively profiled the activities including the customer activities of some of the most prolific customers and members of the infamous Russian Business Network also known as the RBN in the context of blackhat SEO iFrame and input validation abuse across major Web properties including malvertising and various other malware-serving and client-side exploits serving campaigns including money mule recruitment and phishing campaigns the ubiquitous at the time fake security software also known as scareware in a variety of post series.

• Related post - Dissecting a Sample Russian Business Network (RBN) Contract/Agreement Through the Prism of RBN's AbdAllah Franchise

It's been a decade since I last profiled the most prolific and sophisticated market-leading bullet-proof hosting cybercrime enterprise - the Russian Business network which at the time was dominating the majority of campaigns that I was busy profiling with the help of fellow researchers to whom I owe a big deal of thanks for approaching me circa 2008-2013 namely Jart Armin and James McQuaid with whom I've been directly or indirectly keeping in touch throughout 2008-2013 for the purpose of offering quality research on the activities of the Russian Business Network including their customers and fraudulent and malicious campaigns.

• Related post - Historical OSINT - Inside the 2007-2009 Series of Cyber Attacks Against Multiple International Embassies

Stay tuned and thanks for reaching out!

Related Russian Business Network (RBN) Research:
I See Alive IFRAMEs Everywhere - Part Two
I See Alive IFRAMEs Everywhere
Bank of India Serving Malware
U.S Consulate in St.Petersburg Serving Malware
Syrian Embassy in London Serving Malware
CISRT Serving Malware
Compromised Sites Serving Malware and Spam
U.S Consulate St. Petersburg Serving Malware
Massive RealPlayer Exploit Embedded Attack
Malware Serving Exploits Embedded Sites as Usual
MDAC ActiveX Code Execution Exploit Still in the Wild
Yet Another Massive Embedded Malware Attack
Embedding Malicious IFRAMEs Through Stolen FTP Accounts
Over 100 Malwares Hosted on a Single RBN IP
Detecting and Blocking the Russian Business Network
Exposing the Russian Business Network
Go to Sleep, Go to Sleep my Little RBN
Injecting IFRAMEs by Abusing Input Validation
RBN's Fake Account Suspended Notices
ZDNet Asia and TorrentReactor IFRAME-ed
Russia's FSB vs Cybercrime
HACKED BY THE RBN!
Rogue RBN Software Pushed Through Blackhat SEO
Wired.com and History.com Getting RBN-ed
The Russian Business Network
Exposing the Russian Business Network
More CNET Sites Under IFRAME Attack
Embedded Malware at Bloggies Awards Site
Have Your Malware In a Timely Fashion
Geolocating Malicious ISPs
More High Profile Sites IFRAME Injected
The New Media Malware Gang - Part Four
Another Massive Embedded Malware Attack

DDanchev is for Hire!

Looking for a full time threat intelligence analyst, cybercrime researcher, or a security blogger?




Approach me at dancho.danchev@hush.com

g0t Bitcoin?

Dear blog readers, dare to take a moment of your precious time to check a venerable and recently proposed cyber security project investment including the opportunity to enter a Bold New World of Hacking and Information Security? Has the time come to set them straight? Keep reading.

Check out this Onion - http://lkzihepprlhxtvbutjedoazbsqd4avmifhpjms3zuq7itceiu4qajwad.onion/ and donate today!

Stay tuned!

Assessing the Recently Leaked FSB Contractor Data - A Peek Inside Russia's Understanding of Social Network Analysis and Tailored Access Operations

I've recently managed to obtain a copy of the recently leaked FSB contractor data courtesy of 0v1ru$ and "Digital Revolution" and I've decided to take a closer look including an in-depth overview and discussion of the leaked data in the context of today's modern-driven AI-powered automated OSINT technologies in the broader context of the U.S Intelligence Community in particular the utilization of rogue TOR exit nodes for the purpose of intercepting and harvesting TOR exit node data within the Russian Federation including social-network analysis data-mining and possible "lawful surveillance" and "lawful interception" including possible data collection type of Tailored Access Operation campaigns launched by "0day Technologies" and "SyTech".

Sample Company Logo:

Sample Company Logo:

Sample personal photos of the individuals behind "0day Technologies" and "SyTech":

Sample Screenshots of the User-Interface behind the "Lawful Surveillance" and "Lawful Interception":

Sample Screenshots of the Rogue and Bogus Tor-Exit-Node Research Project:

Sample URLs involved in the campaign:

hxxp://0day.ru

hxxp://sytech.ru

Sample Telegram account involved in the campaign:

hxxp://t.me/D1G1R3V_DigitalRevolution

Sample Vkontakt account involved in the campaign:

hxxp://vk.com/d1g1r3v

Sample Twitter account involved in the campaign:
hxxp://twitter.com/d1g1r3v
hxxp://twitter.com/0v1ruS

Sample URL known to have participated in the campaign:
hxxp://d1g1r3v.net

Related URL of the currently leaked data:
https://mega.nz/#F!3c0lTaLI!jVUS_O7Q0opCHUPYgK1E_w

Summarizing 4 Years of ZDNet Zero Day Posts Research

It's been quite some time since I last posted a quality blog post regarding my ex-employer CBS Interactive's ZDNet where I used to work as a Security Blogger for ZDNet's Zero Day throughout 2008-2013 and I wanted to take the time and effort to say thanks to my Editor-in-Chief including Editorial Director - Larry Dignan and David Grober who provided editorial guidance including the publishing of the original post regarding my disappearance circa 2010 including the search for me.

In this post I'll summarize my blogging activity at ZDNet's Zero Day blog throughout 2008-2013 providing my readers with the necessary data information and knowledge to stay ahead of current and emerging threats.

ZDNet Zero Day Blog Posts - May, 2008

• Major career web sites hit by spammers attack
• A U.S military botnet in the works
• DIY phishing kits introducing new features
• Redmond Magazine Successfully SQL Injected by Chinese Hacktivists
• Fast-Fluxing SQL injection attacks executed from the Asprox botnet
• The Storm Worm would love to infect you
• DoS Attacks Using SQL Wildcards Revealed
• Pro-Serbian hacktivists attacking Albanian web sites
• Over 1.5 million pages affected by the recent SQL injection attacks
• No security software, no E-banking fraud claims for you
• Google introducing Safe Browsing diagnostic to help owners of compromised sites
• Facebook vulnerable to critical XSS, could lead to malware attacks
• Tracking down the Storm Worm malware
• Top ten worst spam registrars notified by ICANN
• Open source software security improving
• Who keeps failing their FISMA compliance?
• Botnets committing click fraud observed
• ICANN warning against registrar impersonation phishing attacks
• Attacks on NFC mobile phones demonstrated
• Comcast's DNS records hijacked, redirect to hacked page
• How was Comcast.net hijacked?
• Chinese female hacking group spotted
• Microsoft's CAPTCHA successfully broken

ZDNet Zero Day Blog Posts - June, 2008

• Phoenix Mars Lander's mission site hacked
• Online brand-jacking increasing
• Metasploit Project's site hijacked through ARP poisoning
• Privacy flaw exposes Paris Hilton and Lindsay Lohan's private MySpace photos
• Skype patches security policy bypassing vulnerability
• Who's behind the GPcode ransomware?
• Proof of Concept "carpet bombing" exploit released in the wild
• Fake ImageShack site serving malware, links distributed over IM
• How to recover GPcode encrypted files?
• Photobucket's DNS records hijacked by Turkish hacking group
• A security company wants you to DDoS its servers
• China detains web site defacer spreading earthquake rumors
• Security breach hits DivShare, unauthorized access to its database
• Local root escalation vulnerability in Mac OS X 10.4 and 10.5 discovered
• Phishers targeting Facebook users, fake logins spammed through hacked accounts
• Trojan exploiting unpatched Mac OS X vulnerability in the wild
• Spam attack shut downs Marshall Islands email service
• 200,000 sites spreading web malware, China's hosting the most
• ICANN and IANA's domains hijacked by Turkish hacking group
• HSBC sites vulnerable to XSS flaws, could aid phishing attacks

ZDNet Zero Day Blog Posts - July, 2008

• Blizzard introducing two-factor authentication for WoW gamers
• Sony PlayStation's site SQL injected, redirecting to rogue security software
• 300 Lithuanian sites hacked by Russian hackers
• Antivirus vendor introducing virtual keyboard for secure Ebanking
• Gmail, Yahoo and Hotmail's CAPTCHA broken by spammers
• Storm Worm's Independence Day campaign
• Approximately 800 vulnerabilities discovered in antivirus products
• $1 Million prize offered for cracking an encryption algorithm
• U.K's most spammed person receives 44,000 spam emails daily
• Storm Worm says the U.S have invaded Iran
• Gmail, PayPal and Ebay embrace DomainKeys to fight phishing emails
• Verizon, Telecom Italia, and Brasil Telecom top the botnet charts in Q2 of 2008
• XSS worm at Justin.tv infects 2,525 profiles
• Remote code execution through Intel CPU bugs
• Ringleader of cybercrime group to be offered a job as cybercrime fighter
• Spam coming from free email providers increasing
• Kaspersky's Malaysian site hacked by Turkish hacker
• Georgia President's web site under DDoS attack from Russian hackers
• 75% of online banking sites found vulnerable to security design flaws
• McAfee debunks recent vulnerabilities in AV software research, n.runs restates its position
• Click fraud in 2nd quarter of 2008 more sophisticated, botnets to blame
• How OpenDNS, PowerDNS and MaraDNS remained unaffected by the DNS cache poisoning vulnerability
• DNS cache poisoning attacks exploited in the wild
• The Neosploit cybercrime group abandons its web malware exploitation kit
• OS fingerprinting Apple's iPhone 2.0 software - a "trivial joke"
• HD Moore pwned with his own DNS exploit, vulnerable AT&T DNS servers to blame

ZDNet Zero Day Blog Posts - August, 2008

• Cuil's stance on privacy - "We have no idea who you are"
• Phishers increasingly scamming other phishers
• Today's assignment : Coding an undetectable malware
• Consumer Reports urges Mac users to dump Safari, cites lack of phishing protection
• Fake CNN news items malware campaign spreading rapidly
• CNET's Clientside developer blog serving Adobe Flash exploits
• Coordinated Russia vs Georgia cyber attack in progress
• Researcher discovers Nokia S40 security vulnerabilities, demands 20,000 euros to release details
• Intel proactively fixes security flaws in its chips
• 1.5m spam emails sent from compromised University accounts
• Fortune 500 companies use of email spoofing countermeasures declining
• China busts hacking ring, managed to penetrate 10 gov't databases
• Scammers caught backdooring chip and PIN terminals
• SpamZa - opt in spamming service fighting to remain online
• FEMA's PBX network hacked, over 400 calls made to the Middle East
• Typosquatting the U.S presidential election - a security risk?
• Hundreds of Dutch web sites hacked by Islamic hackers
• Twitter's "me too" anti-spam strategy
• Malware detected at the International Space Station
• Taiwan busts hacking ring, 50 million personal records compromised
• MSN Norway serving Flash exploits through malvertising
• Inside India's CAPTCHA solving economy

ZDNet Zero Day Blog Posts - September, 2008

• DoS vulnerability hits Google's Chrome, crashes with all tabs
• Malware and spam attacks exploiting Picasa and ImageShack
• Spamming vendor launches managed spamming service
• Facebook introducing new security warning feature
• Google downplays Chrome's carpet-bombing flaw
• Targeted malware attack against U.S schools intercepted
• The most "dangerous" celebrities to search for in 2008
• Norwegian BitTorrent tracker under DDoS attack
• Attacker: Hacking Sarah Palin's email was easy
• Bill O'Reilly's web site hacked, attackers release personal details of users
• India's government: At last, we've cracked Blackberry's encryption
• Memory exhaustion DoS vulnerability hits Google's Chrome
• 44% of second hand mobile devices still contain sensitive data
• Spammers attacking Microsoft's CAPTCHA -- again

ZDNet Zero Day Blog Posts - October, 2008

• Cybercriminals syndicating Google Trends keywords to serve malware
• Scammers introduce ATM skimmers with built-in SMS notification
• Atrivo/Intercage's disconnection briefly disrupts spam levels
• Adobe posts workaround for clickjacking flaw, NoScript releases ClearClick
• Asus ships Eee Box PCs with malware
• Fake Microsoft Patch Tuesday malware campaign spreading
• Secunia: popular security suites failing to block exploits
• Survey: 88% of Mumbai's wireless networks easy to compromise
• Adobe's Serious Magic site SQL Injected by Asprox botnet
• Inside an affiliate spam program for pharmaceuticals
• Google to introduce warnings for potentially hackable sites
• Lack of phishing attacks data sharing puts $300M at stake annually
• CardCops: Stolen credit card details getting cheaper
• Cybercrime friendly EstDomains loses ICANN registrar accreditation
• Phishers apply quality assurance, start validating credit card numbers
• Spammers targeting Bebo, generate thousands of bogus accounts

ZDNet Zero Day Blog Posts - November, 2008

• Black market for zero day vulnerabilities still thriving
• Google and T-Mobile push patch for Android security flaw
• Fake WordPress site distributing backdoored release
• Koobface Facebook worm still spreading
• Cyber terrorists to face death penalty in Pakistan
• AVG and Rising signatures update detects Windows files as malware
• BBC hit by a DDoS attack
• Google fixes critical XSS vulnerability
• $10k hacking contest announced
• Anti fraud site hit by a DDoS attack
• Commercial vendor of spyware under legal fire
• Fake Windows XP activation trojan goes 2.0
• Cybercriminals release Christmas themed web malware exploitation kit
• Google: no evidence of a Gmail vulnerability
• New worm exploiting MS08-067 flaw spotted in the wild
• Microsoft's Live launches malware detection service for webmasters

ZDNet Zero Day Blog Posts - December, 2008

Exposing Evgeniy Mikhaylovich Bogachev and the "Jabber ZeuS" Gang - An OSINT Analysis

Continuing the "FBI Most Wanted Cybercriminals" series I've decided to take a closer look at the "Jabber ZeuS" including Evgeniy Mikhaylovich Bogachev for the purpose of providing actionable intelligence on the fraudulent and malicious infrastructure that was utilized in the campaign including personally identifiable information of the individuals behind it with the idea to assist law enforcement and the U.S Intelligence community with the necessary data to track down and prosecute the individuals behind the campaign.

In this post I'll provide actionable intelligence on the infrastructure used by the "Jabber ZeuS" gang including personally identifiable information for Evgeniy Mikhaylovich Bogachev and some of his known associates.

Sample Personal Photos of Evgeniy Mikhaylovich Bogachev:

Slavik's IM and personal email including responding IP:
bashorg@talking.cc - 112.175.50.220

Personal Address:
Lermontova Str. Anapa, Russian Federation

Instant Messaging account:
lucky12345@jabber.cz

Related name servers:
ns.humboldtec.cz - 88.86.102.49
ns2.humboldtec.cz - 188.165.248.173

Related domains part of a C&C phone-back location:
hxxp://slaviki-res1.com
hxxp://slavik1.com - 91.213.72.115
hxxp://slavik2.com
hxxp://slavik3.com

Slavik's primary email:
luckycats2008@yahoo.com

Slavik's ICQ numbers:
ICQ - 42729771
ICQ - 312456

Related emails known to have participated in the campaign:
alexgarbar-chuck@yahoo.com
bollinger.evgeniy@yandex.ru
charajiang16@gmail.com

Related domains known to have participated in the campaign:
hxxp://visitcoastweekend.com - 103.224.182.253; 70.32.1.32; 192.184.12.62; 141.8.224.93; 69.43.160.163
hxxp://incomeet.com - 192.186.226.71; 66.199.248.195
hxxp://work.businessclub.so

Related information on his colleague (chingiz) as seen in the attached screenshot:

Real Name: Galdziev Chingiz

Related domains known to have participated in the campaign:
hxxp://fizot.org
hxxp://fizot.com - 50.63.202.35; 184.168.221.33
hxxp://poymi.ru - 109.206.190.54

Related name servers known to have participated in the campaign:
ns1.fizot.com - 35.186.238.101
ns2.fizot.com

Related domain including an associated email using the same name server:
hxxp://averfame.org - harold@avereanoia.org

Google Analytics ID: UA-3816538

Related domains known to have participated in the campaign:
hxxp://awmproxy.com
hxxp://pornxplayer.com

Related emails known to have participated in the campaign:
fizot@mail.ru
xtexgroup@gmail.com
xtexcounter@bk.ru

Related domains known to have responded to the same malicious and fraudulent IP - 178.162.188.28:
hxxp://dnevnik.cc
hxxp://xvpn.ru
hxxp://xsave.ru
hxxp://anyget.ru
hxxp://nezayti.ru
hxxp://proproxy.ru
hxxp://hitmovies.ru
hxxp://appfriends.ru
hxxp://naraboteya.ru
hxxp://naraboteya.ru
hxxp://awmproxy.com
hxxp://zzyoutube.com
hxxp://pornxplayer.com
hxxp://awmproxy.net
hxxp://checkerproxy.net

Related domains known to have participated in the campaign:
hxxp://fizot.livejournal.com/
hxxp://russiaru.net/fizot/

Instant Messaging Account:
ICQ - 795781

Related personally identifiable information of Galdziev Chingiz:
hxxp://phpnow.ru
ICQ - 434929
Email: info@phpnow.ru

Related domains known to have participated in the campaign:
hxxp://filmv.net
hxxp://finance-customer.com
hxxp://firelinesecrets.com
hxxp://fllmphpxpwqeyhj.net
hxxp://flsunstate333.com

Related individuals known to have participated in the campaign:
Slavik, Monstr, IOO, Nu11, nvidiag, zebra7753, lexa_Mef, gss, iceIX, Harderman, Gribodemon, Aqua, aquaSecond, it, percent, cp01, hct, xman, Pepsi, miami, miamibc, petr0vich, Mr. ICQ, Tank, tankist, Kusunagi, Noname, Lucky, Bashorg, Indep, Mask, Enx, Benny, Bentley, Denis Lubimov, MaDaGaSka, Vkontake, rfcid, parik, reronic, Daniel, bx1, Daniel Hamza, Danielbx1, jah, Jonni, jtk, Veggi Roma, D frank, duo, Admin2010, h4x0rdz, Donsft, mary.J555, susanneon, kainehabe, virus_e_2003, spaishp, sere.bro, muddem, mechan1zm, vlad.dimitrov, jheto2002, sector.exploits

Related Instant Messaging accounts and emails known to have participated in the campaign:
iceix@secure-jabber.biz
shwark.power.andrew@gmail.com
johnlecun@gmail.com
gribodemon@pochta.ru,
glazgo-update-notifier@gajim.org
gribo-demon@jabber.ru
aqua@incomeet.com
miami@jabbluisa.com
um@jabbim.com
hof@headcounter.org
theklutch@gmail.com
niko@grad.com
Johnny@guru.bearin.donetsk.au
petr0vich@incomeet.com
mricq@incomeet.com
T4ank@ua.fm
tank@incomeet.com
getreadysafebox.ru
john.mikleymaiI.com
aIexeysafinyahoo.corn
rnoscow.berlin@yahoo.com
cruelintention@email.ru,
bind@ernail.ru
firstmen17@rarnbler.ru
benny@jabber.cz
airlord1988@gmail.com
bxl@hotmail.com
i_amhere@hotmail.fr
daniel.h.b@universityofsutton.com
princedelune@hotmail.fr
bxl_@msn.com
danibxl@hotmail.fr
danieldelcore@hotmail.com.
d.frank@jabber.jp
d.frank@0nl1ne.at
duo@jabber.cn
fering99@yahoo.com
secustar@mail.ru
h4x0rdz@hotmail.com
Donsft@hotmail.com
mary.j555@hotmail.com
susanneon@googlemail.com
kainehabe@hotmail.com
virus_e_2003@hotmail.com
spanishp@hotmail.com
sere.bro@hotmail.com
lostbuffer@hotmail.com
lostbuffer@gmail.com
vlad.dimitrov@hotmail.com
jheto2002@gmail.com
sector.exploits@gmail.com

We'll post new updates as soon as new developments take place.

Related posts:
Exposing Iran's Most Wanted Cybercriminals - FBI Most Wanted Checklist - OSINT Analysis
Who's Behind the Syrian Electronic Army? - An OSINT Analysis